lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190
							[role="xpack"]
[testenv="platinum"]
[[ml-get-overall-buckets]]
=== Get Overall Buckets API
++++
<titleabbrev>Get Overall Buckets</titleabbrev>
++++

Retrieves overall bucket results that summarize the
bucket results of multiple jobs.

==== Request

`GET _xpack/ml/anomaly_detectors/<job_id>/results/overall_buckets` +

`GET _xpack/ml/anomaly_detectors/<job_id>,<job_id>/results/overall_buckets` +

`GET _xpack/ml/anomaly_detectors/_all/results/overall_buckets`

==== Description

You can summarize the bucket results for all jobs by using `_all` or by
specifying `*` as the `<job_id>`.

An overall bucket has a span equal to the largest `bucket_span` value for the
specified jobs.

The `overall_score` is calculated by combining the scores of all
the buckets within the overall bucket span. First, the maximum `anomaly_score` per
job in the overall bucket is calculated. Then the `top_n` of those scores are
averaged to result in the `overall_score`. This means that you can fine-tune
the `overall_score` so that it is more or less sensitive to the number
of jobs that detect an anomaly at the same time. For example, if you set `top_n`
to `1`, the `overall_score` is the maximum bucket
score in the overall bucket. Alternatively, if you set `top_n` to the number of
jobs, the `overall_score` is high only when all jobs detect anomalies in that
overall bucket.

In addition, the optional parameter `bucket_span` may be used in order
to request overall buckets that span longer than the largest job's `bucket_span`.
When set, the `overall_score` will be the max `overall_score` of the corresponding
overall buckets with a span equal to the largest job's `bucket_span`.

==== Path Parameters

`job_id`::
  (string) Identifier for the job. It can be a job identifier, a group name, a
  comma-separated list of jobs or groups, or a wildcard expression.

==== Request Body

`allow_no_jobs`::
  (boolean) If `false` and the `job_id` does not match any job an error will
  be returned. The default value is `true`.

`bucket_span`::
  (string) The span of the overall buckets. Must be greater or equal
  to the largest job's `bucket_span`. Defaults to the largest job's `bucket_span`.

`end`::
  (string) Returns overall buckets with timestamps earlier than this time.

`exclude_interim`::
  (boolean) If `true`, the output excludes interim overall buckets.
  Overall buckets are interim if any of the job buckets within
  the overall bucket interval are interim.
  By default, interim results are included.

`overall_score`::
  (double) Returns overall buckets with overall scores greater or equal than this value.

`start`::
  (string) Returns overall buckets with timestamps after this time.

`top_n`::
  (integer) The number of top job bucket scores to be used in the
  `overall_score` calculation. The default value is `1`.


===== Results

The API returns the following information:

`overall_buckets`::
  (array) An array of overall bucket objects. For more information, see
  <<ml-results-overall-buckets,Overall Buckets>>.


==== Authorization

You must have `monitor_ml`, `monitor`, `manage_ml`, or `manage` cluster
privileges to use this API. You also need `read` index privilege on the index
that stores the results. The `machine_learning_admin` and `machine_learning_user`
roles provide these privileges. For more information, see
{xpack-ref}/security-privileges.html[Security Privileges] and
{xpack-ref}/built-in-roles.html[Built-in Roles].


==== Examples

The following example gets overall buckets for jobs with IDs matching `job-*`:

[source,js]
--------------------------------------------------
GET _xpack/ml/anomaly_detectors/job-*/results/overall_buckets
{
  "overall_score": 80,
  "start": "1403532000000"
}
--------------------------------------------------
// CONSOLE
// TEST[skip:todo]

In this example, the API returns a single result that matches the specified
score and time constraints. The `overall_score` is the max job score as
`top_n` defaults to 1 when not specified:
[source,js]
----
{
  "count": 1,
  "overall_buckets": [
    {
      "timestamp" : 1403532000000,
      "bucket_span" : 3600,
      "overall_score" : 80.0,
      "jobs" : [
        {
          "job_id" : "job-1",
          "max_anomaly_score" : 30.0
        },
        {
          "job_id" : "job-2",
          "max_anomaly_score" : 10.0
        },
        {
          "job_id" : "job-3",
          "max_anomaly_score" : 80.0
        }
      ],
      "is_interim" : false,
      "result_type" : "overall_bucket"
    }
  ]
}
----

The next example is similar but this time `top_n` is set to `2`:

[source,js]
--------------------------------------------------
GET _xpack/ml/anomaly_detectors/job-*/results/overall_buckets
{
  "top_n": 2,
  "overall_score": 50.0,
  "start": "1403532000000"
}
--------------------------------------------------
// CONSOLE
// TEST[skip:todo]

Note how the `overall_score` is now the average of the top 2 job scores:
[source,js]
----
{
  "count": 1,
  "overall_buckets": [
    {
      "timestamp" : 1403532000000,
      "bucket_span" : 3600,
      "overall_score" : 55.0,
      "jobs" : [
        {
          "job_id" : "job-1",
          "max_anomaly_score" : 30.0
        },
        {
          "job_id" : "job-2",
          "max_anomaly_score" : 10.0
        },
        {
          "job_id" : "job-3",
          "max_anomaly_score" : 80.0
        }
      ],
      "is_interim" : false,
      "result_type" : "overall_bucket"
    }
  ]
}
----